If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Threaded View

Chapter 6 - Newbie Questions Answered

Same disclaimer... I didn't write these chapters... Also, the files needed for this chapter are all included in the attached Zip file.
------------------------------------------------------------------------
Previous Chapters -

Last volume we talked about playing around with ICQ and we briefly mentioned the ICQ password. Here is what I said:

Versions before ICQ99b store the ICQ password in plain text (i.e. not encrypted) in their DB file (I believe they are now encrypted? - email me if I am wrong). The DB file is located in the following different places depending on your version:

Version lower that ICQ99a = \ICQ\DB\

ICQ99a = \ICQ\NewDB\

ICQ99b = \ICQ\DB99b\

Simply look through the file for the password - it usually appears on the line beginning "iUserSound". You could also use the web-server exploit detailed earlier to get the DB file.

Well, I have been doing some research on the ICQ99b password - and yes, it is still in the DB file...but encrypted. The DB files are two files which are called:

<your UIN>.dat
<your UIN>.idx

In order to decrypt the ICQ password, you will need 3 pieces of information:

Your UIN
Your CryptIV value
The encrypted password
Your ICQ99b password is encrypted in the .dat file, in the folder \ICQ\DB99b\ and it appears after the text:

Password

I bet you couldn't have guessed that one! Right, the actual encrypted password is the text 4 chars on from the word 'password'. Here is an example:

Password k§ af799034f6bb402e837f

So, 4 chars after the word 'Password' makes the encrypted password:

af799034f6bb402e837f

Some of you may have noticed that the encrypted password is actually made up of hex. Now what we do is make the encrypted password a bit more friendly - by putting spaces in and making it uppercase!

AF 79 90 34 F6 BB 40 2E 83 7F

This is just so you will be able to read each hex number easily later on - you don't have to worry about this if you don't want to.

**Note**

For the people familiar with hex, this obviously represents:

0xAF
0x79
0x90
0x34
0xF6
0xBB
0x40
0x2E
0x83
0x7F

**Note**

Now to get the other important item - your CryptIV value! This will appear in the .dat file - after the text:

99BCryptIV

which is just before the word 'password'. The CryptIV value is used in generating the decryption key.

Search the .dat file for "99BCryptIV", and then once you have found it, skip past the null terminator and character 'h'. In the other words - ignore the first 2 characters after the word "99BCryptIV". The next 4 characters are your CryptIV value. They will probably look like strange ascii characters. Here is an example of what you could find:

99BCryptIV h]ß˜t

In the case above, the CryptIV value would be:

]ß˜t

Now we need to work out the ascii values of each character, like so:

] = 93
ß = 223
˜ = 152
t = 116

For all you newbies, the Ascii value of something is its numerical value. Every single character on the keyboard has a special number associated with it called the Ascii value.

Now the fun bit!

Once you have your 4 character long CryptIV value converted to ascii, we need to perform this calculation with it:

( 1st + 2nd * 256 + 3rd * 65536 + 4th * 16777216 ) = CryptIV

The 1st, 2nd, 3rd, and 4th bits represent the ascii value of each character of the 99BCryptIV. So, for our example, we would do:

(93 + 223 * 256 + 152 * 65536 + 116 * 16777216) = 1956175709

The final step is to convert the result into hex. Yes, im afraid it has to be done. The easiest way is to go into a programming language and make it convert it. For example, to convert the result above using Visual Basic, the code would be:

msgbox hex(1956175709)

That simple! The code above will make it display a message box showing the hex value. In delphi that code would be:

showmessage(inttohex(1956175709,1));

After converting to hex, you should get the value:

7498DF5D

This can be properly represented as 0x7498DF5D or 7498DF5Dh depending on how your inclined.

Now we need to use the above information to generate a decryption key (or an XOR key). This is quite complicated, and it would not be feasible for us to do it manually here - but you can use the program I compiled quickly for this volume. It should be along with this file, and its called "ICQ99b.exe".

Actually, all we need to generate the decryption key is the UIN and the CryptIV - but we will need the Encrypted password soon. Go into the program and enter the UIN and the CryptIV and click "Generate Key". Keep a note of the key it generates for you.

**Note**

Although the XOR key generating process is too complex to do here manually, I have included the source to it with this volume. It is called "XorKeyGn.pas" and it is written in pascal. The compiled program "ICQ99b.exe" is merely a port of this source code into delphi to make it easier for newbies to generate the XOR key. The XorKeyGn.pas source was written entirely by CovertD - who is a very talented coder and deserves all the credit for this decryption, he has helped me to understand this decryption and create this tutorial for you.

**Note**

Ok! once you have the decryption key - the real decryption can begin. The decryption will require you to be familiar with XOR - if you are not familiar with this...I have included the visual basic and delphi source code to decrypt it.

The hands-on approach:

What we now need to do is XOR the encrypted password character-by-character with the decryption key (or XOR key as it should be known).

Using the above example, my program generated the decryption key as:

A7 79 F8 55-95 D0 26 4F-F2 7F 2C

**Note**

Remember this is in hex too, so it really means:

0xA7 0x79 0xF8 0x55 etc.

**Note**

Ok, now the odd bit...remove the first two hex values of both the XOR key and the encrypted password. Why this is needed is explained a bit later. So, for my example we would end up with:

ENCRYPTED PASS = 90 34 F6 BB 40 2E 83 7F

XOR KEY = F8 55-95 D0 26 4F-F2 7F 2C

So looking back at the encrypted password, we will actually be XOR'ing:

0x90 xor 0xF8

0x34 xor 0x55

0xF6 xor 0x95

0xBB xor 0xD0

etc.

and just to do a quick example XOR:

[ 0x90 xor 0xF8 ]

0x90 = 144

0xF8 = 248

010010000
011111000
----------------
001101000

= 104

XOR all of the encrypted password like this and write all of the results down (so for our example, the first result would be 104). Now convert the results to their Ascii symbols, so 104 would become: h

The easier approach:

Ok, if all the talk of XOR scares you, here is the easier way. Below is the code for both visual basic and delphi to perform the XOR calculations above. The visual basic code to do this (using the example) would be:

Now lets look at what you have ended up with (whether you used the manual approach or the code above). You should have something in the format of this:

< The password! > < maybe 1 more useless character >

And yes, the password should have decrypted as 'hackfaq'.

If you were wondering what the 3 useless characters actually mean, then here it is:

The first character is a length word and is a hex value (therefore you shouldn't really convert it to it's ascii value) - the hex value should be equal to the length of the decrypted password. To cut a long story short, the first character holds the length of the password.

The second character is rubbish - I believe? or it might be part of the length...who knows.

The last useless character is simply a null terminator - i.e. zip, nothing, 0

I am really really sorry if I lost anyone during this topic! It is probably the most complex topic we have covered, and is quite difficult to explain - although I felt I should include this as we covered ICQ last volume...and as no-one else has explained it well

If it really was a bit much and you are completely lost - then you can download the new program off my web site called "ICQ Decrypt". It will do everything mentioned above for you - just point it in the direction of your ICQ99b dat file and it will show you the password. Get it here

Actually, I would be interested to hear some comments about what people thought of this topic. Mail me

And lastly, many many thanks go to CovertD for the brilliantly coded xorkeygn.pas - which is the heart of the decryption. Keep it up CovertD!!!

Ok find a guestbook that is not Lpage (Guestworld). I don't know why Lpage doesn't work but it doesn't. Ok, fill in the info. Should look something like this:

Name: DarkNight
Nick: DarkNight
Country: Darkness

Now scroll down to the message or comments section. Enter some html like this.

<h3> HAHAHAHA You have been hacked </h3>
<xmtp> </body>

The Body is what you need, it deletes ALL the guestbook entries. Another
thing you can do is this:

<h3> HAHAHAHAHA You have been hacked </h3>
<plaintext> <xmtp>

This will strip the HTML from all the Guestbook entries. This is kind of good because when people view the entries, they are all in HTML coding. You can add any kind of coding you want to but the two scripts about do the most damage! I'm sure it works on Yahoo-geocities guestbook.

Wang's explanation:

Guest books are those things on web sites where people can leave little messages saying whether they enjoyed the page or not.

It appears that the technique described above works on most guestbooks that are html based. By this I mean that the coding behind the guestbook 'posts' are written in the standard web page Hyper Text Markup Language - much like this hack faq

This allows the guestbook to look pretty and use different fonts, colours, and table layouts etc. However, when you post your message - no checks are done on it. This means that whatever you write gets put into the guestbook exactly as you entered it. So, if you put html tags into the message - the actual Guest book viewer does not read them as part of the message - but as part of the actual page!

Obviously with this you are limited to only html and no java or other devious stuff (is that right? can you use java as well?) - but if you can make anyone who opens the guest book go to your page...who cares! Think about it - you could send them anywhere. [Wang begins to think...] hey! - what about the \con\con bug!! - why not make it so that whenever anyone tries to read the guest book they get redirected to c:\con\con ! (which would crash them if they are using windows 9x). Just a thought..

Here are some pieces of code that will crash Internet Exploder (sorry, Explorer) and Netscape Navigator:

Have any of you had a go at Zebulun yet? Zebulun is Cyberarmy.com's hacking challenge. Zebulun has different levels to it which you must gain access to, and each time it gets harder. It is designed to test many different aspects of hacking, and people get ranked at each stage. I wanted to write a topic on how to defeat all the levels of Zebulun (well, up to where I got to which was about level 6 Kernel because the zeb7 was down whilst they are remaking it) but I can't really do it because it would be unfair. However, it would be a great topic to do because it would show you exactly how to go about learning and using each different skill - but we will have to wait until zebulun is either completely changed beyond recognition or down before we cover that.

Anyway, what we can cover is the zebulun crashes. I posted this on a few hacking message boards a while ago, and I think it could benefit from being covered here too. On some levels of zebulun, Cyberarmy have made it so that if you get the challenge wrong - a large number of crashes are tried against you. The first crash being the con/con crash - which kills all windows users. What we are going to talk about here is how to block ALL of the crashes and safe your computer/browser from crashing. The reason we are covering this is because it is unfair for all the newbies (probably using their parents or schools computers) to keep on getting crashes - and probably banned from the computers they are using.

First of all, you will need a copy of Proxomitron - click this link to get it. Proxomitron is a web filtering program that allows you to see everything your computer is being told over the Internet, and everything your computer is saying. It then lets you create filters to alter or block certain pieces of information either going out or coming into your computer. So, what we are going to do is the following:

Get a copy of the Cyberarmy crash code
Learn what crashes affect us
Set up proxomitron to filter out the crashes
Get answers wrong without crashing!
Ok, the crash code is located at: http://www.cyberarmy.com/crash.shtml - which is where you are redirected to if you get some of the challenges wrong. Go and get that page and have a look at the source.

**Note**

If you can't get work out how to get the page onto your computer without crashing go to ********right.com and get a copy of Get Right. Then just give get right the url above and it will get it for you.

**Note**

Had a look at the source? Well, you might notice that Cyberarmy have kindly commented most of the crashes for us! Here are all the crashes:

What you need to do is look through the list and see what might affect your Operating system or your browser. I went through each crash individually, I got the crash code, pasted it into a new html file, and then ran it to see if I was affected. Once you have a list of the ones that affect you, continue...

If your using Windows, the most important one to block will be con/con because it will crash win. So, fire up your proxomitron and go to the web settings. Create a new filter with the following details:

Now you see how it works, go and create filters for all the crashes that affect you. When Cyberarmy then try to crash you, you should see the crash.shtml page appear...and a lovely 'Unabled to crash system' written at the bottom of the page.

Accessing the control panel in a restricted environment ( by Max van Gorkum )

You where talking lately about getting in the system configuration screen through the "start - help - add/remove programs" option. At our school the help function is cloaked. So, i have a new cool idea. You know that all the main windows functions are stationed in the windows/system area, so i went looking there. Here's my thought: Open Internet Explorer or Netscape (I use them both), and type in the URL strip instead of the normal URL (i.e. "C:/windows/system").

When you arrive there, you should look for files with the ".cpl" extension. If i'm right (I usually am) they look the same as a *.dll file. If you can't find them, look for the filenames called Main, Password or Sysdm. You should see them. Each one stands for a part of the configuration screen. Like in "password.cpl" you can add/change the windows login password. And yes! Finally! in "Inetcpl.cpl" you can change the configuration for internet, such as the level of security and that kind of things. Just click them, and you're in!

Wang's additions:

A good extension to the 'start menu, help' method of getting to the control panel. This method is the next thing to try if the start menu method doesn't work or you don't have 'help' on your start menu. However, if your control panel is disabled in the first place it suggests that someone is intent on you not messing with the system. Therefore you will have to just hope that this method works! You may also find (on more securely set up systems) that you will not be able to get to c:\ via internet explorer.

It might also be worth mentioning here, you might be able to get to the systems 'Internet options' another way. If you have an Internet Explorer icon on your desktop, you might be able to right click on it and choose 'properties'. In most cases, this will then take you directly into the Internet properties.

First of all, what are local restrictions? Whenever we refer to the word 'local' what it actually means is YOUR computer, i.e. the one you are sitting at. This is of course, the opposite to 'Remote' which would refer to a computer somewhere else (for example, a computer you connect to over the Internet would be reffered to as a 'Remote Computer'). Restrictions are what system admins and those strange technicians with beards put on your local computers to stop you from access certain things. Typical local restrictions include:

Blocking access to the Windows control panel, and any of the tools contained within.
Blocking access to MS Dos
Blocking access to the registry
Blocking access to items on the start menu
Blocking access to particular directories or files (typically c:\windows, c:\windows\system)
Blocking particular web sites
Stopping you performing simple actions (such as creating shortcuts, and renaming files)
Block access to the BIOS (main setup of the computer, Basic Input Output System
Why would they want to do this? Well, just maybe, they are expecting hackers like you! We all know that we wouldn't use our knowledge to cause damage to the system (right?) - but there are many people who would. Now, for some reason, all of the networks I have access to are set up really really well (by technicians with beards)...but does this mean they are un-hackable? Of course not. Literally ever time they change something about the system, whether it be adding a new program or patching a security hole, they always open up a new hole somewhere else - its true. Remember, no system can ever be 100% secure. Now, lets talk about some ways to bypass all of these restrictions and regain our freedom.

*Note* Some of these techniques are very dependant on how your system is setup, and some of them simple won't work for you. Please don't send me emails saying 'It doesn't work! its rubbish!"..because I guarentee you it will work for a lot of people.

Most of the restrictions we mentioned above are set up using a program called Poledit (short for Policy Editor). This program is included on the windows 9x and NT CD's - but is not installed by windows. You will need to have a look on your windows CD for 'poledit' in order to install it. Poledit allows you to create system policies which will block off certain areas of windows.

How does it work? Basically, all it does is add information to the registry. Then, windows can look in the registry to see what you are allowed to access, and what your not. hmm, not particularly secure is it? So, in order to bypass the local restrictions, what we actually need to do is edit the registry. Now, if your bearded technician actually understands how the policies work - they will have set up the policies so that you don't have access to the registry! Game over...or not. All it does is block the use of regedit.exe - so what we need to do is find a way of editing the registry without using regedit. Well, some of you clever people will use your programming languages to do it...but notepad is as good as any!

You can write registry files in notepad! all you need to do is save them as .reg and then run them. So, the first thing we would do is re-enable the use of regedit.exe to make getting rid of the policies a little more simple. In notepad, type in:

*NOTE* Please leave a blank line after the last line or the code won't work! I don't know why this is, but just trust me!

Now save it as "Registry.reg" and double click on it. If you recieve a message about adding data to the registry, just click ok. Now try running regedit (either from the c:\windows directory or from a floppy disk if the admins have removed it) again - it should now let you in!

This is where the system policies are stored. Editing the items here should regain you access to the features of windows. Lets look at a few more examples:

Another one that the bearded technicians love to disable is the display settings. The display setting are usually accessible by right clicking on the desktop and choosing 'properties'. The reason they usually disable this is because people like to mess around with the screen savers and put hacker backgrounds on the computers. So, going into notepad and writing the following:

There are many more items that the policies can block - so I suggest you play with the poledit program and see exactly what you can do.

I have just shown you how unsecure policies are - yet admins still use them. However, the other option is 3rd party programs. These are programs written by other companies that are supposed to stop you doing things. Lets look at how these might work. Well, firstly - a program can't control what your doing unless its running, right? So, the first thing to look at is whether you can close the program down and therefore end the restrictions. I would first of all look at using ctrl-alt-delete and seeing what is running...if you can see something which looks suspicious - kill it. However, some programs use stealth to stop themselves being listed in ctrl-alt-delete - so try using the program that comes with windows 98 called 'System Manager'. It has a feature that shows you what is running on your system, and often lists items which don't appear in ctrl-alt-delete. The next option is to get a copy of the program yourself! Use it at home and learn how it works...see if you can spot anything that could be a potential exploit and also check out how it uses the registry. If all fails, take the drastic approach and get to the add/remove programs page and try and remove it.

Here's are some other little tricks:

If you are restricted from creating shortcuts on the desktop, you can use the windows scripting host built into later versions windows 95 and all versions of 98. The windows scripting host is kind of like a replacement for the outdated batch files (.bat files) which use the msdos language. They use either Visual basic or Java and allow you to perform many useful windows functions - and you can write your little programs in notepad! So, if you are restricted from creating a shortcut on the desktop, try this:

Open Notepad

Type in the following (but fill in the bits in red with the relevant information!!):

If you are unable to access the main motherboard setup or BIOS, there are a couple of ways of getting through the password. The first is to try some backdoor passwords - BIOS manufacturers sometimes put backdoor passes in, here are some for various BIOS's:

If none of the backdoor passes work, try using a BIOS password cracker - the file "cmoscrack.exe'' is included in this volume. This is just one of the crackers that I found.

As I say, local restrictions can be very dependant on how the system is set up - but I think most of you will find that the system policies trick works! It is also worth mentioning that you may need to remove the policies each time you log on...this is because the technician might have set the network up so that whenever you log on the policies are downloaded to your machine. This can be a pain, but just write yourself a large .reg file which you can run when you log on and remove all the restrictions at once!

Ok, not strictly a hacking question - but this is a useful piece of knowledge. I use Netscape Communicator for my web browsing/email because I used it long before I tried Internet Explorer - and have grown to prefer using it. Recently when I upgraded from an older version of Netscape to version 4.7 - I noticed a slight addition the Netscape team have made!

When you open up Netscape Messenger - it automatically loads up a half page advert! This is not only annoying because it wastes my bandwidth, but it delays the retrieving of my mail - which is not acceptable. Anyhow, I read recently how you can get rid of it:

Go to your c:\program files\netscape\users\<user name>\ folder (replace <user name> with your username)
You should see a file called "Prefs.js" - right click on it and choose edit.
Anywhere in the file, add in the line: user_pref("mailnews.start_page.enabled", false);
Next time you load up messenger, you won't get the advert!

If you open up messenger and the advert is still there, try closing netscape and then re-opening it. If that fails, go back to the prefs.js file and check that the line is still there (it may be further down in the file, because netscape automatically arranges the file). If it is gone, it means you typed the line in wrongly! Try again!

"Mail Machine is a great mailing list script that allows visitors to your website to subscribe and unsubscribe to your mailing list without ANY work from you. This is a great way to inform your visitors on what's happening, and bring them back!"

The reason I have written this is not to encourage people to go and mess up servers with MailMachine running - it is to make people realise it is not a secure script. Hopefully the author will then take notice of what I have said and do something about it.

I recently downloaded MailMachine for use on my server, and after a couple of test runs I realised that a number of flaws are present. I think this is the only way to really understand how programs work. I have received emails from readers before asking questions like "How on earth are you meant to spot flaws or exploits in programs?"...and this is the answer. If I install a new CGI script on my server, I need to know exactly how it works to make sure it is set up ok. In this case, I followed these steps:

Installed the CGI onto my server.
Ran a test subscription and tried to subscribe myself to my mailing list.
It was not working in the ways I had hoped so I began looking more closely at the code and altering it to make it work how I wanted it to work.
Once I actually understood what each part of the script did, I began spotting some flaws - which, to someone who had installed the script on their server, could prove very nasty.
Here are the problems I found, although there are probably a lot more:

1) Subscribing

When the 'confirm subscription' option is on, it is easy for anyone to guess the confirmation url they need to go to confirm the subscription as it follows this format:

So, a hacker could subscribe anyone he wants to the list by first entering their email address and clicking subscribe, and then confirming the subscription by adding a ?<email> on the end of the scripts location. This renders MailMachine's confirm subscription option useless.

2) Unsubscribing

The same type of security problem is present, except this time a confirmation is not even necessary. A member of the list can unsubscribe themselves at any time by going to:

No confirmation will be sent, they will simply recieve a email to say they have been unsubscribed. So, a hacker can unsubscribe anyone from the list by going to that address. This effectively means that anyone can unsubscribe anyone.

3) Permissions

"Email.txt" and "Temp.txt" hold the subscribed emails and the 'to be confirmed' email addresses respectfully. By default the permissions set to the files "email.txt" and "temp.txt" means that the two files can be read by anyone. A hacker could access the file "email.txt" and unsubscribe everyone from the list using the technique mentioned above.

4) Banned addresses

The owner of the list is allowed to specify some banned addresses, however, these banned addresses are cAsE sensitive. So, if I ban the address:

This makes it very difficult and annoying for a mailing list admin to actually ban an address.

5) More Case problems

MailMachine makes checks to see if someone who tries to subscribe is already subscribed. The case sensitivity is also present on subscribing an address. Therefore, the checks that mailmachine makes to see if the address is already subscribed are pointless - even with checks, if you@you.com is subscribed - You@you.com would be allowed.

Here are a few answers I have sent to individual people over the email recently:

How can I get round a ban on IRC?

Well, when you get banned - you can be banned with a number of different ban methods (i.e. there are many different types of bans, some ban your nickname, some ban your IP, some ban part of your hostname etc.) so getting around them is very much dependant on how the person banned you.

Things to try include:

Changing your nickname
Reconnecting to the server
Disconnecting from the net, then re-connecting (usually a good one)
Quickly adding a proxy/firewall into your mirc settings - then re-connecting.

The last one is good because it will change your IP address and your hostname, without you having to re-connect to the net.

How do you hack an FTP server?

The best way to hack FTP servers is by looking for the vulunerabilities in the software. I recommend you connect to the ftp server and find out what software the ftp server is (it will tell you when you connect to it) and what version it is. Then go to:

and do a vulnerability search for that ftp sofware to see if there are any security holes in it. Also, it is also worth trying default accounts to get access to an FTP server (accounts such as guest, anon, anonymous etc.)

[shadow]uraloony, Founder of Loony Services[/shadow]
Visit us at
[gloworange]http://www.loonyservices.com/[/gloworange]